2 Networks - One linux box (security question)

OK, I have a linux box setup where I work.  THe building is entirely Windows NT/2000 based, with no linux servers anywhere.  I have my linux box setup with 2 NICs in it, one connected to this corporate network (which has a T1 secured with a Sidewinder Firewall system), and the other NIC goes to a DSL router (completely open and unsecured).

I am using this DSL line to get Internet access, since the proxy server runs Microsoft proxy server, and machines need to have Microsoft Proxy Client installed to work.  Well, Linux won't connect through this proxy, that is why I have the extra DSL.

What I'm asking is how can I secure the corporate network connection from the DSL so that users can't hack through the DSL line, through my linux box (which is always on) and into the corporate network, completely bypassing the sidewinder firewall they have setup.

I need to know what to setup so that I can get Internet and run some services (such as apache and mySQL) through this DSL, but not allow any connections going through the DSL line to access the other NIC.

Please help me on this, it would be greatly appreciated.  Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you have iptables, use gshield, http://muse.linuxmafia.org/gshield.html
However, if you run a service to the outside, no firewall will protect you if the service itself is vulnerable since the firewall is configured to allow all traffic to the service.

Bob Gunzel

If all you are concerned about is people going _through_ your server then the answer is simple:

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP

Even this is overkill. The first line tells the kernel never to retransmit packets. That is, never act as a router. This will stop any packets coming in on one interface from going out on the other.

The second line tells the kernel make in a policy (-P) to drop anything that is begin forwarded. But since you're already not allowing forwarding in your kernel this is overkill.

However, the much more difficult question is if you are worried about people hacking your computer and then using that to get access to the internal network. You must do some more subtle firewalling then to ensure that your computer doesn't get hacked. A good starting point is:

iptables -P INPUT DROP

This tells the kernel to drop any connection attempts unless they have been explicitly allowed. It is then possible to exercise fine grained control on what things you allow to access your computer. For example, if you want to run a web server you can explicitely allow connections to port 80 (http) by typing:

iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT

This tells the kernel to append (-A) a rule to the input firewalling table that anything of protocol tcp (-p tcp) arriving on the DSL interface (-i ppp0 I assume that that is your DSL interface) having destination port 80 (--dport 80) should be accepted. This would allow external access to the web service. If you wanted everyone on your internal network full access to your computer you would type:

iptables -A INPUT -i eth0 -j ACCEPT

(assuming that your internal nic is eth0).

Similarly for mysql. It is just a matter of finding out what port it uses and allowing it similarly to the http server above.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
phraxionAuthor Commented:
now... if after doing all of this, how can I test to see if I've secured off the internal network from any connections on the DSL line (which is coming in through eth1, my internet is eth0)?
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

phraxionAuthor Commented:
eth0 = internal network
eth1 = DSL line (hooked to a router)

Yes, it is quite easy to test. Gather the following equipment/information:
1) the IP address of the DSL modem
3) the IP of eth1 on your machine
2) an IP of a reliable server on the inside of the network which you can ping from your machine (through eth0)
3) a laptop with a NIC (running any operating system)

Now give the laptop identical configurations to the DSL modem and plug it into your eth1. Add a route to the internal IP like this:
route add reliableIP gw eth1addr
route add reliableIP mask eth1addr

And then ping the reliable ip from the laptop. You should be able to ping the reliable ip if kernel forwarding is on and ipforwarding is on. That is, if you do:
echo 1 > /proc/sys/net/ipv4/ip_forward
you should be able to ping the reliable host. Then doing the opposite:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
should disable pinging (as mentioned in my previous post only one of these lines is strictly necessary).

Good luck, Geordie.
phraxionAuthor Commented:
works perfectly... thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.